Tanium Threat Response¶
About¶
Tanium Threat Response eases the collaboration challenges faced by security and IT teams, providing an integrated view across your digital infrastructure.
Product Details¶
Vendor URL: Tanium Threat Response
Product Type: Endpoint Detection and Response
Product Tier: Tier I
Integration Method: Syslog
Integration URL: Tanium Connect
Log Guide: Tanium Threat Response Guide
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 95%
Data Label: TANIUM_THREAT_RESPONSE
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| ComputerIP | principal.ip |
| ComputerName | target.hostname |
| domain | target.administrative_domain |
| finding.artifact.windows_defender_event.event.exploit_guard_blocked.id | metadata.product_log_id |
| finding.artifact.windows_defender_event.event.exploit_guard_blocked.path | principal.process.command_line |
| finding.artifact.windows_defender_event.event.exploit_guard_blocked.path | security_result.about.file.full_path |
| finding.artifact.windows_defender_event.event.exploit_guard_blocked.process_name | principal.process.file.full_path |
| finding.artifact.windows_defender_event.event.malware_action_v2.action_type | security_result.action_details |
| finding.artifact.windows_defender_event.event.malware_action_v2.additional_actions | security_result.description |
| finding.artifact.windows_defender_event.event.malware_action_v2.category_name | security_result.category_details |
| finding.artifact.windows_defender_event.event.malware_action_v2.detection_id | security_result.rule_id |
| finding.artifact.windows_defender_event.event.malware_action_v2.detection_source | security_result.threat_feed_name |
| finding.artifact.windows_defender_event.event.malware_action_v2.error_description | metadata.description |
| finding.artifact.windows_defender_event.event.malware_action_v2.path | principal.process.command_line |
| finding.artifact.windows_defender_event.event.malware_action_v2.path | security_result.about.file.full_path |
| finding.artifact.windows_defender_event.event.malware_action_v2.severity_name | security_result.severity |
| finding.artifact.windows_defender_event.event.malware_action_v2.severity_name | security_result.severity_details |
| finding.artifact.windows_defender_event.event.malware_action_v2.threat_id | security_result.threat_id |
| finding.artifact.windows_defender_event.event.malware_action_v2.threat_name | security_result.threat_name |
| finding.artifact.windows_defender_event.event.malware_detection_v2.action_type | security_result.action_details |
| finding.artifact.windows_defender_event.event.malware_detection_v2.additional_actions | security_result.description |
| finding.artifact.windows_defender_event.event.malware_detection_v2.category_name | security_result.category_details |
| finding.artifact.windows_defender_event.event.malware_detection_v2.detection_id | security_result.rule_id |
| finding.artifact.windows_defender_event.event.malware_detection_v2.detection_source | security_result.threat_feed_name |
| finding.artifact.windows_defender_event.event.malware_detection_v2.error_description | metadata.description |
| finding.artifact.windows_defender_event.event.malware_detection_v2.path | principal.process.command_line |
| finding.artifact.windows_defender_event.event.malware_detection_v2.path | security_result.about.file.full_path |
| finding.artifact.windows_defender_event.event.malware_detection_v2.severity_name | security_result.severity |
| finding.artifact.windows_defender_event.event.malware_detection_v2.severity_name | security_result.severity_details |
| finding.artifact.windows_defender_event.event.malware_detection_v2.threat_id | security_result.threat_id |
| finding.artifact.windows_defender_event.event.malware_detection_v2.threat_name | security_result.threat_name |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.action_type | security_result.action_details |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.additional_actions | security_result.description |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.category_name | security_result.category_details |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.detection_id | security_result.rule_id |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.detection_source | security_result.threat_feed_name |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.error_description | metadata.description |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.path | principal.process.command_line |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.path | security_result.about.file.full_path |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.process_name | principal.process.file.full_path |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.severity_name | security_result.severity |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.severity_name | security_result.severity_details |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.threat_id | security_result.threat_id |
| finding.artifact.windows_defender_event.event.unwanted_application_detected.threat_name | security_result.threat_name |
| IntelId | security_result.rule_id |
| IntelLabels | security_result.description |
| IntelName | metadata.product_event_type |
| IntelName | security_result.summary |
| IntelName | security_result.threat_name |
| IntelType | security_result.rule_type |
| MatchDetails.match.contexts.0.event.registrySet.keyPath | target.registry.registry_key |
| MatchDetails.match.contexts.0.event.registrySet.valueName | target.registry.registry_value_name |
| MatchDetails.match.properties.args | security_result.about.process.command_line |
| MatchDetails.match.properties.file.fullpath | target.process.file.full_path |
| MatchDetails.match.properties.file.md5 | target.process.file.md5 |
| MatchDetails.match.properties.file.sha1 | target.process.file.sha1 |
| MatchDetails.match.properties.file.sha256 | target.process.file.sha256 |
| MatchDetails.match.properties.fullpath | target.process.file.full_path |
| MatchDetails.match.properties.local_port | principal.port |
| MatchDetails.match.properties.md5 | target.process.file.md5 |
| MatchDetails.match.properties.parent.args | security_result.about.process.command_line |
| MatchDetails.match.properties.parent.file.fullpath | target.process.parent_process.file.full_path |
| MatchDetails.match.properties.parent.file.md5 | target.process.parent_process.file.md5 |
| MatchDetails.match.properties.parent.parent.file.fullpath | target.process.parent_process.parent_process.file.full_path |
| MatchDetails.match.properties.parent.parent.file.md5 | target.process.parent_process.parent_process.file.md5 |
| MatchDetails.match.properties.parent.parent.parent.file.fullpath | target.process.parent_process.parent_process.parent_process.file.full_path |
| MatchDetails.match.properties.parent.parent.parent.file.md5 | target.process.parent_process.parent_process.parent_process.file.md5 |
| MatchDetails.match.properties.parent.parent.parent.parent.file.fullpath | target.process.parent_process.parent_process.parent_process.parent_process.file.full_path |
| MatchDetails.match.properties.parent.parent.parent.parent.file.md5 | target.process.parent_process.parent_process.parent_process.parent_process.file.md5 |
| MatchDetails.match.properties.parent.parent.parent.parent.parent.file.fullpath | target.process.parent_process.parent_process.parent_process.parent_process.parent_process.file.full_path |
| MatchDetails.match.properties.parent.parent.parent.parent.parent.file.md5 | target.process.parent_process.parent_process.parent_process.parent_process.parent_process.file.md5 |
| MatchDetails.match.properties.parent.parent.parent.parent.parent.pid | target.process.parent_process.parent_process.parent_process.parent_process.parent_process.pid |
| MatchDetails.match.properties.parent.parent.parent.parent.pid | target.process.parent_process.parent_process.parent_process.parent_process.pid |
| MatchDetails.match.properties.parent.parent.parent.pid | target.process.parent_process.parent_process.parent_process.pid |
| MatchDetails.match.properties.parent.parent.pid | target.process.parent_process.parent_process.pid |
| MatchDetails.match.properties.parent.pid | target.process.parent_process.pid |
| MatchDetails.match.properties.pid | target.process.pid |
| MatchDetails.match.properties.ppid | target.process.parent_pid |
| MatchDetails.match.properties.protocol | network.ip_protocol |
| MatchDetails.match.properties.remote_ip | target.ip |
| MatchDetails.match.properties.remote_port | target.port |
| MatchDetails.match.properties.sha1 | target.process.file.sha1 |
| MatchDetails.match.properties.sha256 | target.process.file.sha256 |
| MITRE Techniques | security_result.threat_id |
| os | principal.platform_version |
| patch_level | principal.platform_patch_level |
| platform | principal.platform |
| product_name | metadata.product_name |
| user | principal.user.userid |
| username | target.user.userid |
| vendor_name | metadata.vendor_name |
| windows_event_type | security_result.description |
Product Event Types¶
| IntelName | UDM Event Type | Security Result Category | alerting |
|---|---|---|---|
| all events | SCAN_HOST | TRUE | |
| Malicious | SOFTWARE_MALICIOUS | ||
| Suspicious | SOFTWARE_MALICIOUS | ||
| Uncommon | SOFTWARE_MALICIOUS |
Log Sample¶
2022-03-03T09:25:03-08:00 10.0.0.4 {"Alert Id":"sa12q555s-askqi9231","Timestamp":"2022-03-03T17:24:07.000Z","Computer Name":"Hostname1","Computer IP":"10.0.0.12","Intel Id":1206,"Intel Type":"defender","Intel Name":"Defender Intel","Intel Labels":"","Match Details":{"service_id":"193857591-195860021","finding":{"intel_id":"1206","hunt_id":"5","threat_id":"Exploit Guard","source_name":"windows_defender","domain.com_info":{"os":"Microsoft Windows Server 2019 Standard","build_number":"17763","patch_level":"10.0.17763.0.0","bits":64,"platform":"Windows"},"artifact":{"instance_hash":"19485860001","artifact_hash":"19485860001","windows_defender_event":{"timestamp_ms":"1646328239359","event":{"exploit_guard_blocked":{"id":"LQ173457-XNMMW56","detection_time":"2022-03-03T17:24:00.908Z","user":"johndoe\\domain.com","path":"C:\\Windows\\domain.com32\\lsass.exe","process_name":"C:\\Program Files\\dynatrace\\oneagent\\agent\\lib64\\oneagentplugin.exe"}}}},"first_seen":"2022-03-03T17:24:06.854539Z","last_seen":"2022-03-03T17:24:06.854539Z","whats":[{"source_name":"windows_defender","artifact_activity":{"acting_artifact":{"process":{"file":{"file":{"path":"C:\\Program Files\\dynatrace\\oneagent\\agent\\lib64\\oneagentplugin.exe"}},"user":{"user":{"name":"johndoe","domain":"domain.com"}}}},"relevant_actions":[{"target":{"file":{"path":"C:\\Windows\\SYSTEM32\\lsass.exe"}},"timestamp":"2022-03-03T17:23:59.359Z"}]},"security_event":{"timestamp":"2022-03-03T17:23:59.359Z","type_identifier":"1121"},"additional_fields":{"id":"LQ173457-XNMMW56","detection_time":"2022-03-03T17:24:00.908Z"}}],"description":"Exploit Guard"}},"Question":"Tanium Threat Response Alerts"}
Sample Parsing¶
metadata.event_timestamp = "2022-03-03T17:24:07Z"
metadata.event_type = "SCAN_HOST"
metadata.vendor_name = "Tanium"
metadata.product_name = "Threat Response"
metadata.product_event_type = "Defender Intel"
metadata.ingested_timestamp = "2022-03-03T17:31:09.956043Z"
principal.user.userid = "johndoe\\domain.com"
principal.process.file.full_path = "C:\Program Files\dynatrace\oneagent\agent\lib64\oneagentplugin.exe"
principal.process.command_line = "C:\Windows\domain.com32\lsass.exe"
principal.platform = "WINDOWS"
principal.ip = "10.0.0.12"
principal.platform_version = "Microsoft Windows Server 2019 Standard"
principal.platform_patch_level = "10.0.17763.0.0"
target.hostname = "Hostname1"
observer.ip = "10.0.0.4"
security_result.about.file.full_path = "C:\Windows\domain.com32\lsass.exe"
security_result.threat_name = "Defender Intel"
security_result.summary = "Defender Intel"
security_result.description = "exploit_guard_blocked"
security_result.severity = "HIGH"
security_result.confidence = "LOW_CONFIDENCE"
security_result.priority = "HIGH_PRIORITY"
security_result.rule_id = "1206"
security_result.alert_state = "ALERTING"
security_result.rule_type = "defender"
Parser Alerting¶
Alerting criteria is listed in the Product Event Types table above.
Rules¶
Coming soon